diff --git a/integration-tests/tests/api/artifacts-cdn.spec.ts b/integration-tests/tests/api/artifacts-cdn.spec.ts
index 924abd1491..55898121b6 100644
--- a/integration-tests/tests/api/artifacts-cdn.spec.ts
+++ b/integration-tests/tests/api/artifacts-cdn.spec.ts
@@ -680,7 +680,7 @@ describe('CDN token', () => {
     expect(deleteResult).toEqual(
       expect.arrayContaining([
         expect.objectContaining({
-          message: `No access (reason: "Missing target:settings permission")`,
+          message: `No access (reason: "Missing permission for performing 'accessToken:delete' on resource")`,
         }),
       ]),
     );
diff --git a/packages/services/api/src/modules/auth/lib/legacy-permissions.ts b/packages/services/api/src/modules/auth/lib/legacy-permissions.ts
index 7bb08bb78e..f96d08247f 100644
--- a/packages/services/api/src/modules/auth/lib/legacy-permissions.ts
+++ b/packages/services/api/src/modules/auth/lib/legacy-permissions.ts
@@ -58,7 +58,12 @@ export function transformLegacyPolicies(
       case TargetAccessScope.REGISTRY_WRITE: {
         policies.push({
           effect: 'allow',
-          action: ['appDeployment:create', 'appDeployment:publish', 'appDeployment:retire'],
+          action: [
+            'appDeployment:create',
+            'appDeployment:publish',
+            'appDeployment:retire',
+            'accessToken:create',
+          ],
           resource: [`hrn:${organizationId}:*`],
         });
         break;
@@ -66,7 +71,14 @@ export function transformLegacyPolicies(
       case TargetAccessScope.SETTINGS: {
         policies.push({
           effect: 'allow',
-          action: ['schemaContract:create', 'schemaContract:disable', 'schemaContract:describe'],
+          action: [
+            'schemaContract:create',
+            'schemaContract:disable',
+            'schemaContract:describe',
+            'accessToken:create',
+            'accessToken:delete',
+            'accessToken:describe',
+          ],
           resource: [`hrn:${organizationId}:*`],
         });
         break;
diff --git a/packages/services/api/src/modules/cdn/providers/cdn.provider.ts b/packages/services/api/src/modules/cdn/providers/cdn.provider.ts
index 6458485589..66bbb34562 100644
--- a/packages/services/api/src/modules/cdn/providers/cdn.provider.ts
+++ b/packages/services/api/src/modules/cdn/providers/cdn.provider.ts
@@ -4,8 +4,7 @@ import { z } from 'zod';
 import { encodeCdnToken, generatePrivateKey } from '@hive/cdn-script/cdn-token';
 import { HiveError } from '../../../shared/errors';
 import { isUUID } from '../../../shared/is-uuid';
-import { AuthManager } from '../../auth/providers/auth-manager';
-import { TargetAccessScope } from '../../auth/providers/scopes';
+import { Session } from '../../auth/lib/authz';
 import type { Contract } from '../../schema/providers/contracts';
 import { Logger } from '../../shared/providers/logger';
 import { S3_CONFIG, type S3Config } from '../../shared/providers/s3-config';
@@ -23,7 +22,7 @@ export class CdnProvider {
 
   constructor(
     logger: Logger,
-    @Inject(AuthManager) private authManager: AuthManager,
+    private session: Session,
     @Inject(CDN_CONFIG) private config: CDNConfig,
     @Inject(S3_CONFIG) private s3Config: S3Config,
     @Inject(Storage) private storage: Storage,
@@ -86,11 +85,12 @@ export class CdnProvider {
       } as const;
     }
 
-    await this.authManager.ensureTargetAccess({
-      organization: args.organizationId,
-      project: args.projectId,
-      target: args.targetId,
-      scope: TargetAccessScope.READ,
+    await this.session.assertPerformAction({
+      action: 'accessToken:create',
+      organizationId: args.organizationId,
+      params: {
+        organizationId: args.organizationId,
+      },
     });
 
     // generate all things upfront so we do net get surprised by encoding issues after writing to the destination.
@@ -241,11 +241,12 @@ export class CdnProvider {
       args.cdnAccessTokenId,
     );
 
-    await this.authManager.ensureTargetAccess({
-      organization: args.organizationId,
-      project: args.projectId,
-      target: args.targetId,
-      scope: TargetAccessScope.SETTINGS,
+    await this.session.assertPerformAction({
+      action: 'accessToken:delete',
+      organizationId: args.organizationId,
+      params: {
+        organizationId: args.organizationId,
+      },
     });
 
     if (isUUID(args.cdnAccessTokenId) === false) {
@@ -326,11 +327,12 @@ export class CdnProvider {
     first: number | null;
     cursor: string | null;
   }) {
-    await this.authManager.ensureTargetAccess({
-      organization: args.organizationId,
-      project: args.projectId,
-      target: args.targetId,
-      scope: TargetAccessScope.SETTINGS,
+    await this.session.assertPerformAction({
+      action: 'accessToken:describe',
+      organizationId: args.organizationId,
+      params: {
+        organizationId: args.organizationId,
+      },
     });
 
     const paginatedResult = await this.storage.getPaginatedCDNAccessTokensForTarget({